SUSE-SU-2026:1761-1

Details

Description of the patch:

This update for nginx fixes the following issues:

CVE-2026-1642: plain text data injection into the response from an upstream proxied server via MITM attack (bsc#1257675).
CVE-2026-27654: buffer overflow in the NGINX worker process via the ngx_http_dav_module module (bsc#1260416).
CVE-2026-27784: NGINX worker memory overread or overwrite via a specially crafted MP4 file (bsc#1260417).
CVE-2026-28753: arbitrary header injection into SMTP upstream requests via attacker-controlled DNS server (bsc#1260418).

Affected Packages

nginx

SUSE Linux Enterprise Module for Server Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6

Fixed in:

1.21.5-150600.10.15.1

nginx-source

SUSE Linux Enterprise Module for Server Applications 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6

Fixed in:

1.21.5-150600.10.15.1

References

ADVISORY

https://bugzilla.suse.com/1257675

ADVISORY

https://bugzilla.suse.com/1260416

ADVISORY

https://bugzilla.suse.com/1260417

ADVISORY

https://bugzilla.suse.com/1260418

ADVISORY